-
Notifications
You must be signed in to change notification settings - Fork 128
-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shim 15.8 + extra patch for EgoSecure (Matrix42) #353
Comments
|
Hi, thank you for the response!
I've updated the repo with the recommended patch and I've rebuild the shim and updated README and ISSUE_TEMPLATE with the latest sha256 value. I've also update the sbat value from :
Thanks for looking into this! |
Hi @MuthuvelKuppusamy, @THS-on, could we have a review over the latest change? We are trying to fix current problems for our customers. Thanks! |
@BogdanAriton there was quite a big queue of submissions and we are still working through it, mostly in our spare time. I'll try to have a look at it, once most of the old submissions got some updates and I find some free time :) In the meantime it would be awesome, if you can help with the submission process by taking a look at other submissions and adding an (unofficial) review (see here for guidelines https://github.com/rhboot/shim-review/blob/main/docs/reviewer-guidelines.md or have look at the accepted submissions). |
@THS-on - sure I've went through the reviewer-guidelines.md, hopefully I'm not missing anything. Thank you for you're effort! 👍 |
I haven't checked the shim binary checksums and reproducibility, since the Please, fix it and I'll perform further review. If you need help with this, feel free to ping me here. |
@aronowski - I need help here because I'm not sure what I need to fix. The issue you are referencing has been merged a while back, so it should be part of the current version I presume. |
@BogdanAriton, some mistakes are shown in the following:
|
@BogdanAriton, it's a matter of integrating the changes, I linked to, to your build process. I did something like this by porting that patch, naming it buggy-binutils.patch and adding to my review here. The integration part might be what I'd need to dive deeper into, as I'm more familiar with the Fedora/RHEL family, rather than Debian. |
@aronowski - thanks for the help! I've made the update. I've also checked the .sbatlevel and it looks fine now.
|
@aronowski - any chance we can have a review? 💯 , we're trying to solve some of the issues we have for our clients. Thank you! |
@BogdanAriton, yes, I'll try my best, but considering that the bootchain is different from what I know and that I'm not a low-level programmer to have an authority to speak about the shim PR 620, it's not going to be easy for me to verify everything thoroughly. First, I'll just scratch the surface and focus on the easier parts. The good thing is that some older shims were already signed and the applications accepted. |
Why is not providing shell access to your users relevant to your kernel's implication on the secure boot attack surface. If your kernel is signed with a key inside your shim, a hyptohetical malware author can take your shim and kernel by themselves and glue any userspace on it. This is true unless your kernel is only executable as part of a signed UKI-like image containing an initrd and cmdline. Otherwise all command line options, the entire initrd, and syscalls from userspace are part of your attack surface.
Does this mean that you execute a Linux based environment prior to Windows as a login dialog, then you chainload Windows? If so, how do you verify that your bootloader cannot be used to load backdoored copies of Windows? |
OK, I did scratch the surface as promised. Some entries will need fixing, but let's start with the good ones: Shim build reproduces file, checksum matches. Its characteristics are alright, but there are ongoing discussions about the handling of the bootchain in the context of NX support. If it turns out it shall not be present in this case, it's just a matter of rolling back the patch that applies the related flag.
Yes, it's the And now the things that need fixing:
A proper strategy will be needed to be implemented if using ephemeral keys is not possible. It's required. You can base one on these proposals by @THS-on and ask for help if needed.
As far as I can see, only the first commit would be present in that kernel. Please, upgrade to the most recent version possible, as these patches will be required in most cases (most common configurations).
I don't have the experience needed to verify, if this patch won't sometimes be causing a behavior that Microsoft wouldn't approve - I'll leave this one for the experts here. There's also a curiosity that wasn't there in the last time you got your successful application - there's no tag referring to the commit to be reviewed. I suppose this makes it easier for Microsoft to handle things, so please add it and edit the issue's entry message, so the links point to it. Also remember to update the answer to the "What is the SHA256 hash of your final SHIM binary?" question in that message. I can see the contacts changed since the last review - I'll send verification emails soon. |
@aronowski - Thank you for the notes and the review! (also very good points from @kukrimate )
Upgrading the Kernel will potentially impact the product and, as I've mentioned in the template, the chain of trust got broken at some point because the old cert expired and part of the pipeline that builds the product just updated the cert we used to sign our efi apps and other cab files, but the shim got left behind. This happened at the start of the year and we have a lot of clients that can't enable secure boot because of this problem.
This particular patch is in debate, there is another method I can use and that is to avoid loading options all together, until an actual patch can be made for this particular issue and I will make that change when I come back. ( I can add more details about the patch if you think is necessary)
Can you elaborate further, which commit are you referring to?
Ups! I updated in the readme, but left the old one in the template. (will make the update as soon as possible)
Thank you! |
Verification emails sent. |
Unsure if this will be a well-deserved rest or dealing with other tough stuff, but hopefully the former - this review process and the software maintenance is hard already.
Unless someone at Microsoft or from the committee says otherwise, I think that maybe that kernel could be patched with the "75b0cea7bf307f362057cc778efe89af4c615354 "ACPI: configfs: Disallow loading ACPI tables when locked down"" patch and a laboratory setting arranged to see if the proof-of-concept exploit linked there works or does not work. If I had more time and a trial access to EgoSecure Full Disk Encryption, I'd test this out myself. The issue that "eadb2f47a3ced5c64b23b90fd2a3463f63726066 "lockdown: also lock down previous kgdb use"" fixes can be, as far as I'm concerned, fixed by simply setting
I know that feeling - will try my best to make the thing compliant with the current requirements.
We can give it a shot, but still, for a proper verification I'd need to become a low-level developer or prepare such a laboratory setting that could provide me with a definite answer.
If the update was to happen today, there should be a tag named
👍 |
@aronowski - Hi, and thanks for all the help and effort with our submission. |
Reviewers: Please refrain from accepting this for the time being, we are having some additional discussions in the keybase about this to make sure that MS is aware of this use case and comfortable with signing it this way. Because we're not sure this is well highlighted to them via this process, and it's not clear how the previous shim ended up signed despite strong rejection from multiple reviewers for the first submission. Regarding the kernel patches, we do not care if this shim is crucial for unlocking your customers or not, including the patches is mandatory to get the shim signed, there is no discussion to be had there. I'd be open to signing the shim with an older sbat level that was valid at the time the patches were not included but I don't think this provides you a lot of value. The shim also sets the NX bit as far as I can tell from the patch, so an NX-compatible kernel is mandatory, which we believe I think 6.7 now is, but due to lack of real actual hardware to test this for most people it's all a bit fuzzy, so that's another no-go. #359 has more details on this, and yes I'm aware this is a 360° turn from what @MuthuvelKuppusamy asked in his review, but sadly it's the reality that stuff with NX is not going well. |
@aronowski - here are the my words from the verification email: |
@julian-klode Thanks for your input, we discussed internally, we will address the issues brought up asap and get back to you with an updated version for review. |
@AndreiVoicuM42 what the status? Please update the submission to 15.8 or create a new one. |
Hi @THS-on , thanks for the message, we've update our source to use Linux 6.6.9 (with the latest CVE patches and without the NX bit) and we're in the late stages of testing. Will make the necessary updates to the README as soon as possible. We will continue on this review if that's OK with you. |
@THS-on , @aronowski - I've updated the review. Please let us know if we should change or update anything. |
Although you've been accepted in the past, we've never done formal contact verification. Let's do that now. Mails on the way. |
Hi @steve-mcintyre, here are the words from the verification email:
@SherifNagy - thanks for the review, I'll try to address these questions as soon as possible; (I was out yesterday and most of today) |
Hi @steve-mcintyre, @aronowski already did the contact verification earlier (#353 (comment)), but here is the confirmation for you as well: heisting deters hotels disestablish unbroken Gino Cavendish substantiates s= pecious Presidents Thank you for taking over our submission. |
@SherifNagy - thank you for your review (I've added my answers below)
|
Hi @SherifNagy , @steve-mcintyre , not to pester you :) , but did you hear back from MSFT regarding our custom second stage bootloader? And did you have time to review our answers, or do you need additional information from our side? |
@AndreiVoicuM42 We haven't heard anything yet from MSFT side, however I have just question that I am curious about actually:
|
Review of Shim 15.8 + extra patch for EgoSecure (Matrix42)OK
Issues / queriesSorry, there's quite a few of these:
|
Also, as @aronowskimentioned - I don't see any git tags on your submission. It's fine that you're using a branch when making changes, but we want to see tags too so that we have a better indication of an unchanging submission. |
Hi @steve-mcintyre , thank you for the review! Sorry for the delayed response, I'll try to answer things as best as possible:
Right, this is just a mistake on my part. It's not a CA certificate; it's an EV certificate. I've updated the README to reflect this as well. Matrix42AG@a5bc735
Last time, I uploaded the latest release binary, which didn't include the most recent changes from our shim-branch. This was because a link to the binary or code was requested, and I didn't realize the SBAT section would be needed in that context. Now, I've uploaded the latest binaries from the shim-branch where we're making the shim-related changes: Matrix42AG@a5bc735
I had to delve deeper into the product's history to uncover this information. It appears that prior to the first shim submission, EgoSecure utilized GRUB on older BIOS machines. The team at that time decided to transition to a UEFI Stub kernel build, allowing the kernel to be loaded directly from our boot loader. The CVEs are related to GRUB and were discovered in 2020. Our first successful shim submission was in 2021, by which time we had already switched to loading the Linux kernel directly from our EFI bootloader. (There was a submission made in 2017, but it was never resolved.)
Whether secure-boot is on or off, booting happens the same way, but normally secure-boot should be turned on and this is the scenario we are considering. (will try to point out differences as best as possible) The diagram below describes the boot process for EgoSecure. Let's break it down:
When loading either esboot, pba or ebootmgfw we’re using gnu-efi-> uefi_call_wrapper(…) – so basically, we’re using EFI code that loads the image in memory. We sign all our binaries which when secure boot is active this should prevent loading anything down the chain if the signature doesn’t match.
We have a runtime policy that will measure and appraise everything except for certain file systems like tmpfs, debugfs, procfs, sysfs, cgroups …, and a few log files we need. Having IMA enabled we can make sure that the user-space stays the same.
Please let me know if I should add anything else. |
Re-checking updates:
I've just a couple more nits:
And one final question (sorry!). How would you revoke a kernel if you had to? |
Hi @steve-mcintyre , thank you for responding so fast:
So, we had three reviews submitted in the past:
Based on the above we can confirm that we never signed GRUB binaries.
The option available to us right now is to generate an ESL file with the kernel's binary hashes and submit it to Microsoft for inclusion in the UEFI DBX. |
OK, sounds good!
Let's hope you don't need too many - DBX updates are expensive. For future shims, you might be better off with an embedded I'm not going to say you need to do this now, but it's an In the meantime, I think you're good here today. I'm happy! You'll need a second reviewer to approve this now; I've just tagged |
This sounds interesting, will explore this option for next review. Thank you so much for the time and effort spent here! |
@julian-klode you raised concerns about this back in December. Any update there please? |
1 similar comment
@julian-klode you raised concerns about this back in December. Any update there please? |
Hi @steve-mcintyre , I think we made a great progress since @julian-klode 's comment in December, and addressed all the concerns raised back then. But it is not clear to us, did you discuss this further internally with him? Do we also need him to review this submission in the current state and approve it, or any other second approval would suffice? |
I could re-review the application, apart from any custom patches, as I mentioned some time ago. I myself am impressed with all the descriptions and clarifications. I raised the discussion part already - please ping me, if no answer arrives in the next days. |
Some sideline comments as @SherifNagy asked for opinions from a broader audience. I find it a bit weird that we are reviewing proprietary DRM solutions. The purpose of this review is not to boot a Linux distribution on a Secure Boot enabled machine for a consumer. It's to enable some convoluted DRM solution where Linux is a cheap iPXE bootloader for a consumer booting a... kiosk/terminal thing? I don't think we, as the Linux distro community, should be signing products from companies like this. It seems more like a cheap way to get this signed, then something that belongs with the mandate that the Linux UEFI/shim community has. It's also weird that we focus on reproducible builds, but allow proprietary components in this build chain. If we not enforcing a F/OSS bootchain already, we should ensure this is written down and checked for future reviews. |
Adding a blocked label for now, we are still waiting some info from MSFT folks and will update the ticket once we hear back. |
Hi @SherifNagy, I hope you're doing well. We wanted to check in and see if there's been any update from MSFT and if there's anything we can do to support the process. Additionally, we wanted to bring to your attention that on August 13, Microsoft released KB5041580 (OS Builds 19044.4780 and 19045.4780), which impacts users of previous versions of SHIM and also affects earlier releases of our product. |
Hi @SherifNagy , @steve-mcintyre . It has been almost 3 weeks since this was blocked, is there no update from MSFT side? Thank you, |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/Matrix42AG/shim-review/releases/tag/2024-07-31_15-20-09
What is the SHA256 hash of your final SHIM binary?
7409c799415b69dfc6222a844b072f79aa14f5b57f1bea07a442c17d74390b33
What is the link to your previous shim review request (if any, otherwise N/A)?
#199
#169
#7
The text was updated successfully, but these errors were encountered: